eCommerce Fraud: Build a Human Firewall

There is a fellow from Europe named Kevin Mitnick, who can find your Social Security number online in 15 seconds. He was the hacker who was elevated to “computer terrorist” status by the FBI and Interpol. They caught him and put him in jail for five years, but there are thousands like him, who spend their hours, days, and lives in search of the mother lode of information. There also are less sophisticated folks who dive in dumpsters and trash cans for receipts, bills, anything that might bear sensitive information. They steal an identity and with that, they steal your money.

Mitnick doesn’t “hack” anymore, he is banned for life from surfing the web. He makes his money now from the people he used to victimize, the big companies whose systems he used to break into. Mitnick teaches people how to avoid being hacked. And guess what. He doesn’t talk much about firewalls or secure portals or encryption keys; he talks a lot about people. In a Reuters news story in early March, Mitnick argues that that while sophisticated technology can help keep networks clean from viruses, it is useless if hackers can con a company’s employees or any unsuspecting citizen into handing over passwords by posing, for example, as colleagues.

“Hackers find the hole in the ‘human firewall’,” Mitnick told an information technology security conference in Johannesburg, South Africa. “What’s the biggest hole? It’s the illusion of invulnerability.”

“Social engineering”, as hackers call tricking people, formed the main thrust of his career, in which he penetrated some of the world’s most sophisticated systems, often by persuading unwitting staff to hand over top-secret information.

The Front Line

The front line of defense against the Internet fraudsters is a proactive approach on the part of anyone who collects, possesses, uses or transmits sensitive data. You can have all of the latest and greatest technical tools to protect data and your system, but when the human component breaks down, the hordes can and will come through the gate.

Is it really that big an issue? You bet it is. For merchants, the threat comes in areas like credit card fraud and vulnerable data storage systems. Because the threats are so many, so varied, and so sophisticated, companies like Authorize.Net, one of the world’s largest electronic payment gateways, spend millions of dollars and tens of thousands of man-hours every year to build and maintain secure systems to protect data in storage and transmission.

Authorize.Net uses a set of integrated fraud tools as standard features of every customer account, such as Address Verification Service (AVS) and Card Code Verification (CVV/CVC2/CID) that provide merchants with general protection from fraud. However, to proactively fight and prevent fraud, merchants need to employ more advanced fraud detection tools in their own systems that are designed to single out fraudulent transactions. Authorize.Net’s Fraud Detection Suite is composed of several filters and tools that work together to evaluate transactions for indications of fraud. Their combined logic provides a powerful and highly effective defense against many fraudulent transactions.

However, as powerful as the tech tools are, the biggest campaign against fraud needs to be waged on the education front. Stephanie Gibbons is a fraud-prevention expert at Authorize.Net. “The average merchant may not know how much they can do when it comes to protecting themselves and their customers from fraud,” says Gibbons. “There are a number of steps that they can take, but they must be consistent and constantly on alert.”

Most major payment gateway companies offer technical tools, high levels of encryption and transaction monitoring, and most small merchants tend to leave it at that—it’s that false sense of invulnerability. However, in order to protect themselves and their customers, Gibbons says they need to take some measures of their own.

The 13 Bricks Of A Human Firewall

Here are 13 things an ecommerce merchant can do to lower their fraud exposure:

Never send sensitive information via email.

Leave discreet voicemail messages. Do not leave detailed messages involving sensitive information that can be overheard.

Make copies carefully. Always remove and retain originals from the copy machine when making copies of sensitive documents.

Do not cut and paste potentially sensitive information from any proprietary or confidential business application into emails or otherwise distribute sensitive information insecurely to customers.

Only share customer data with internal personnel on a need-to-know basis.

Do not discuss sensitive information where it can be overheard.

Check the Internet regularly for phony copies of your website. If you find a “spoof site,” contact the website’s provider immediately.

And, number 13? Never, never, never give a password, a credit card number or any sensitive information to anyone on the phone, especially a cordless or cell phone. That nice man who is trying to help your mother with her taxes may be another Kevin Mitnick trying to get his digital foot in the door.